Top Post-Quantum Cryptography Companies and NIST PQC Standards Guide

Every encrypted message captured today by an adversary patient enough to hold it for fifteen years is, in 2026, a candidate for retroactive decryption. That is the simple and uncomfortable shape of the harvest-now-decrypt-later threat model that drives the work of the top post-quantum cryptography companies and the standards bodies they orbit. By 2035 NIST expects organisations to have retired the public-key algorithms that secure most of the internet. Some industries (defence, banks holding long-lived secrets, government archives) are expected to migrate well before then. This article is a working guide to what the algorithms are, who builds them, and which infrastructure providers have already started shipping them in production.

What Q-Day means for your data

Q-Day is the working name cryptographers give to the moment a sufficiently large fault-tolerant quantum computer first runs Shor’s algorithm against the public-key systems most of the world relies on: RSA, Diffie-Hellman, and elliptic-curve variants. Nobody knows exactly when Q-Day arrives. Estimates from serious researchers cluster between 2030 and 2040, but the threat model that matters now is not Q-Day itself. It is the much earlier reality that an adversary recording encrypted traffic today can store it cheaply for a decade or more and then decrypt it on the day a useful quantum computer comes online.

That is why the migration timeline is being pulled forward across regulated industries. Independent threat-model research like Project Eleven’s 2033 Q-Day baseline scenario places the cryptographically relevant breakthrough inside the planning horizon for almost every enterprise IT roadmap. The US National Institute of Standards and Technology (NIST) has set a target of deprecating quantum-vulnerable algorithms by 2035 in its post-quantum cryptography programme. High-risk systems are expected to transition much earlier.

Cloudflare and Google have publicly committed to 2029 deadlines for full post-quantum migration of their own infrastructure. Apple, Signal, and a handful of other messaging platforms shipped post-quantum protections already, and Microsoft and AWS are partway through hyperscale rollouts. The canonical reference is the NIST PQC project page tracking algorithms and post-quantum cryptography companies by status.

For everyone else, the practical question is no longer whether to migrate but in what order. That order, in turn, is shaped by which algorithms NIST has finalised, which post-quantum cryptography companies sell production-grade implementations of those algorithms, and which infrastructure layers (TLS, code-signing, identity, document signing, secure messaging) carry the longest-lived secrets.

How NIST chose the post-quantum cryptography standards

NIST opened the post-quantum cryptography standardisation competition in late 2016 with sixty-nine submissions from cryptographers worldwide. The criteria mixed mathematical security, performance on constrained hardware, key and signature sizes, and the diversity of mathematical foundations. NIST wanted a portfolio that would survive a breakthrough against any one family of problems. The history of quantum computing gave the standards body real reason to plan for that breakthrough rather than assume current cryptography would last.

The competition ran for nearly eight years. Several early candidates fell to creative attacks during the third round, most famously SIKE (Supersingular Isogeny Key Encapsulation), which was broken on a laptop in an afternoon by Wouter Castryck and Thomas Decru in 2022. Lattice-based schemes survived intense cryptanalysis and emerged as the workhorses of the new standards. Hash-based and code-based schemes were retained as conservative alternatives in case the lattice family later cracks. On 13 August 2024 NIST published the first three FIPS post-quantum cryptography standards. A fourth, FN-DSA (Falcon), is in active standardisation as a compact-signature alternative, and a fifth, Hamming Quasi-Cyclic or HQC, was selected on 11 March 2025 as a code-based backup to ML-KEM.

The three finalised FIPS standards

FIPS 203 ML-KEM (formerly CRYSTALS-Kyber)

FIPS 203 specifies Module-Lattice-based Key-Encapsulation Mechanism, or ML-KEM, the algorithm most people will encounter first as their TLS handshake silently switches to a post-quantum hybrid. ML-KEM replaces the Diffie-Hellman key exchange that secures HTTPS, IKE, secure shell, and a long list of other protocols. Its security is reduced to the Module Learning with Errors problem, a lattice problem believed to be hard for both classical and quantum computers.

The standard ships three parameter sets: ML-KEM-512, ML-KEM-768, and ML-KEM-1024, corresponding loosely to AES-128, AES-192, and AES-256 security levels. Performance is excellent: ML-KEM-768 keys are around 1,200 bytes for the public key and 1,100 bytes for ciphertext, with sub-millisecond software performance on commodity CPUs. The main cost is the bytes added to each TLS handshake. AWS measured the overhead at roughly 1,600 additional bytes and 80 to 150 microseconds of compute per connection. That is the price of post-quantum cryptography in the TLS path: small, but enough that some embedded and IoT scenarios still need careful planning.

FIPS 204 ML-DSA (formerly CRYSTALS-Dilithium)

FIPS 204 specifies the Module-Lattice-based Digital Signature Algorithm, ML-DSA, with parameter sets ML-DSA-44, ML-DSA-65, and ML-DSA-87. ML-DSA replaces RSA and ECDSA in roles where speed matters more than signature size: code signing, certificate signing, document signing, and a long tail of internal signing systems. The signatures are noticeably larger than ECDSA (around 2 to 4 KB depending on parameter set) but verification is fast and key generation is cheap, which is what most large signing systems care about.

For most enterprises, ML-DSA is the algorithm that touches the most internal systems during migration. Code-signing pipelines, internal certificate authorities, software supply chain attestations, and document signing all rely on signature schemes that ML-DSA can replace. Microsoft’s SymCrypt now ships ML-DSA in production, AWS KMS supports ML-DSA quantum-resistant signatures and roots of trust, and several certificate authorities have begun issuing test certificates that combine ECDSA with ML-DSA in hybrid form.

FIPS 205 SLH-DSA (formerly SPHINCS+)

FIPS 205 is the conservative pick: Stateless Hash-Based Digital Signature Algorithm, SLH-DSA, derived from SPHINCS+. SLH-DSA does not rely on lattice mathematics. Its security reduces to the security of cryptographic hash functions. If a future cryptanalytic breakthrough invalidates the lattice family (the underlying problem class for both ML-KEM and ML-DSA), SLH-DSA continues to work because its security model is fundamentally different.

The cost of that hedge is signature size. SLH-DSA signatures are between 8 KB and 50 KB depending on parameter set, far larger than ML-DSA. Signing is also slower. Most organisations will not deploy SLH-DSA as the default signature, but they will keep it in the toolbox for high-value, low-volume signing where the resilience guarantee matters more than the byte count: long-lived root signing keys, software bill-of-materials attestations, and certain government archive signing scenarios.

FIPS draft: FN-DSA and HQC

Two further algorithms are in active standardisation. FN-DSA, the FIPS 206 draft based on Falcon, offers compact signatures (around 1 KB) using a different lattice construction (NTRU). The trade-off is implementation complexity: Falcon needs floating-point arithmetic in its signing path, which raises the bar for constant-time, side-channel-resistant implementations. NIST is finalising the standard with help from cryptographers who have rebuilt Falcon’s signing routine in fixed-point arithmetic.

HQC is the code-based fallback for ML-KEM, selected on 11 March 2025. Like SLH-DSA, HQC sits in the portfolio as insurance: if a future attack breaks lattice-based key encapsulation, organisations have a code-based alternative ready. The draft standard is expected in early 2026 with the final in 2027. Most post-quantum cryptography companies are already tracking HQC as a roadmap item rather than a production deliverable.

The post-quantum cryptography vendor landscape

The pure-play post-quantum cryptography companies ship the libraries, hardware, and platforms that enterprises and integrators consume. Eight vendors stand out in 2026 across four categories: cryptographic libraries and toolkits, full quantum-safe platforms, hardware security modules, and QKD-PQC hybrid networks. Funding ranges from ten-figure venture rounds (SandboxAQ at $1.4 billion plus) to undisclosed-but-modest rounds at the QKD vendors. Customer concentration is heavy in defence, financial services, and central banking.

PQShield

Library + silicon · Oxford, UK · Founded 2018

Oxford-spinout shipping NIST-compliant PQC libraries in software and dedicated silicon. PQShield is among the very few PQC vendors that has taped out a working post-quantum cryptography test chip, demonstrating ML-KEM and ML-DSA on hardware rather than only as software libraries. The 91-employee company holds 30 patent families across lattice cryptography and side-channel resistance, and counts AMD, Microchip Technologies, Collins Aerospace, and Lattice Semiconductor among production embedded customers. The company was selected as a vetted UK NCSC PQC Pilot provider for the 2025-2027 government migration programme. The June 2024 Series B was led by Addition with participation from Chevron Technology Ventures, Legal and General, and Oxford Science Enterprises.

pqshield.com →

SandboxAQ

Quantum-safe platform · Palo Alto, US · Founded 2022

Alphabet spinout founded in 2022, taking the AI plus quantum-security thesis from Google’s research labs into a private company. The Security Suite for cryptographic vulnerability remediation is the flagship enterprise PQC product, sitting alongside AQNav real-time quantum navigation, AQBioSim drug discovery, and Large Quantitative Models for biopharma, chemistry, and finance. The five-year US Department of Defense contract for PQC migration positions SandboxAQ as a defence-grade cryptographic vendor at the same scale as legacy incumbents. Total raised exceeds $1.4B, including a $450M Series E in 2025 at a $5.3B pre-money valuation. December 2025 FedRAMP Ready status unlocks federal sales; recent wins include Dow Chemical, Mayo Clinic CardiAQ, and a deployment across 60 Bahrain government ministries.

sandboxaq.com →

ISARA

Crypto-agility toolkits · Waterloo, Canada · Founded 2015

One of the longest-running pure-play PQC specialists, spun out of BlackBerry’s research lab in 2015 to commercialise crypto-agility expertise that the parent had been developing for over a decade. The flagship products are crypto-agility toolkits, quantum risk assessment services, and cryptographic inventory platforms that anchor migrations rather than just shipping the algorithms themselves. ISARA was a contributor to the early NIST PQC competition and continues to influence the standards-tracking process. The company holds 35 patent families and is backed by Quantum Valley Investments, Lakestar, and GIC. Since January 2026, Carahsoft has distributed ISARA solutions to US public-sector customers via NASA SEWP V and other federal contracting vehicles, opening procurement channels that smaller PQC vendors typically cannot access.

isara.com →

Crypto4A

Hardware Security Modules · Ottawa, Canada · Founded 2012

Ottawa-based hardware security module specialist, building tamper-resistant quantum-safe HSMs that integrate NIST-compliant PQC algorithms directly into the silicon. The QxHSM product line targets regulated industries (finance, government, telecoms) where key-storage attestation is mandatory and where pure-software PQC libraries are not sufficient for compliance. Crypto4A featured in the February 2026 Nokia Blueprint 7 quantum-safe optical network trial alongside Nokia Canada, Numana, and evolutionQ, validating QxHSM for telecoms-grade key management. The company received a $3.75M repayable contribution from Canada’s Federal Economic Development Agency for Southern Ontario as part of a $7.5M Quantum-Safe Secure Manufacturing Initiative. Crypto4A emphasises Canadian engineering and manufacturing as an explicit sovereignty argument against foreign HSM lock-in.

crypto4a.com →

evolutionQ

Quantum-safe platform · Toronto, Canada · Founded 2015

Toronto-based quantum-cybersecurity platform co-founded by Michele Mosca, who runs the Institute for Quantum Computing at the University of Waterloo and has driven much of the academic-industrial PQC connection in Canada. The Basejump platform deliberately combines symmetric key infrastructure, classical asymmetric cryptography, and post-quantum cryptography in layered hybrid mode, on the thesis that real-world migration requires all three to coexist for years. evolutionQ holds a Bank of Canada contract for quantum-safe digital currency research, one of the more significant central-bank engagements in the PQC sector. The company also participated in Nokia Blueprint 7 alongside Crypto4A, validating Basejump in optical-network deployments. Quantum risk consulting and migration services round out the portfolio.

evolutionq.com →

Post-Quantum

Cryptographic libraries · London, UK · Founded 2009

London-based specialist founded in 2009, predating the NIST PQC standardisation competition by seven years and the eventual FIPS standards by fifteen. The company built cryptographic libraries, security protocols, and migration tools spanning the full FIPS suite (203, 204, 205) and contributed the NTS-KEM submission to the original NIST PQC competition. Among PQC vendors, Post-Quantum has the deepest UK government and financial-services book of business, including defence and critical-national-infrastructure customers. The 30 patent families span lattice cryptography, code-based cryptography, and side-channel-resistant implementations. Backers include Lakestar, Lightspeed Venture Partners, and GIC across multiple rounds. Despite a relatively small headcount, the company punches above its weight in standards bodies and sovereign customer wins.

post-quantum.com →

QuintessenceLabs

QKD-PQC hybrid · Sydney, Australia · Founded 2008

Sydney-based quantum-safe security company founded in 2008 and still led by founder and CEO Vikram Sharma. The product portfolio combines hardware quantum random number generators (one of the very few production-grade QRNG products globally), quantum key management systems, and post-quantum cryptography implementations. QuintessenceLabs is a rare example of a vendor that has shipped quantum-physics-derived hardware (QRNG) at production scale rather than pure software, making it useful where regulators demand physical sources of entropy. The eight patent families cover QRNG and quantum key management. Customers span Australian government, financial services, and defence, plus international customers in the UK and US. The company is one of the longest-running pillars of the Asia-Pacific quantum-cybersecurity ecosystem.

quintessencelabs.com →

Quantum Xchange

QKD-PQC hybrid · Bethesda, US · Founded 2018

Bethesda-based provider of quantum key distribution combined with post-quantum cryptography network services. Quantum Xchange is one of the very few US-based vendors that operates a production QKD network rather than only shipping libraries. The Phio TX platform combines optical-fibre QKD key delivery with NIST-compliant PQC algorithms for authentication and broader applicability where direct fibre is unavailable. The backbone covers the US East Coast and serves financial services, healthcare, and government customers with regulatory or threat-model requirements for both physics-grade key delivery and algorithmic security. The company is backed by an investor syndicate including Lakestar, Lightspeed Venture Partners, and GIC. Operating real US fibre infrastructure (rather than just selling software) is the unique differentiator.

quantumxc.com →

What the vendor list reveals

Three things are worth noting about this vendor list. First, the geography skews heavily towards Anglosphere countries plus continental Europe. There is no Chinese vendor on the list because the Chinese PQC ecosystem is structured around government and academic institutions rather than independent companies.

Second, the QKD-PQC hybrid vendors (QuintessenceLabs and Quantum Xchange) sell a fundamentally different product from the pure-PQC vendors. They serve a much narrower market: organisations that have a regulatory or threat-model requirement for fibre-grade key delivery in addition to algorithmic security. For background on how the optical-fibre side works, our primer on quantum key distribution covers the BB84 family of protocols, decoy-state methods, and the operational realities of running QKD over commercial fibre.

Third, several of the most influential post-quantum cryptography companies are not in the list at all because they are not commercial entities: NIST itself, the IRTF Crypto Forum Research Group, the Open Quantum Safe project at the University of Waterloo, and the academic research groups at IBM, ETH Zurich, CWI Amsterdam, and Cloudflare Research that contributed the algorithms in the first place.

Big-cloud and big-tech rollouts

The integrators are where post-quantum cryptography reaches scale. Six big-cloud and big-tech rollouts cover most internet traffic, almost all consumer messaging at scale, and a growing share of enterprise infrastructure. The pattern is consistent: each integrator first ships ML-KEM in TLS or in messaging key establishment, then adds ML-DSA for signatures, with SLH-DSA following for conservative high-value paths.

Cloudflare

Integrator · Internet infrastructure · United States

Cloudflare runs the largest production deployment of post-quantum cryptography on the public internet. ML-KEM hybrid TLS is enabled by default across the company’s edge, and more than half of all human traffic Cloudflare processes already uses post-quantum key agreement. The published roadmap is unusually detailed: post-quantum origin authentication mid-2026, Merkle Tree Certificates mid-2027, full SASE-suite coverage by early 2028, and a 2029 deadline for full post-quantum cryptography across the entire product portfolio including authentication. Cloudflare Research is one of the leading academic contributors to post-quantum standards work and runs the open Cloudflare Radar PQC dashboard so customers and the broader internet can track real-world adoption rates.

Cloudflare PQ roadmap →

Amazon Web Services

Integrator · Public cloud · United States

AWS rolled out hybrid post-quantum TLS to AWS KMS in 2024, expanded to AWS Certificate Manager and AWS Secrets Manager in early 2026, and is rolling forward to all AWS service HTTPS endpoints over the coming years. ML-KEM is now the default hybrid algorithm; CRYSTALS-Kyber endpoints will be removed across all AWS services during 2026 once customer migrations complete. AWS KMS additionally supports ML-DSA quantum-resistant signatures and roots of trust for harvest-now-decrypt-later defence. AWS measures the overhead at roughly 1,600 additional bytes and 80 to 150 microseconds of compute per TLS handshake, a cost most customers absorb without noticing. The recommended migration pattern is: keep TLS clients and SDKs current, then update internal services that connect to AWS endpoints.

AWS PQC →

Microsoft

Integrator · OS, cloud, identity · United States

Microsoft’s main cryptographic library, SymCrypt, now ships ML-KEM and ML-DSA in production across Azure, Microsoft 365, Windows 11 client, and Windows Server 2025 following the November 2025 update. SLH-DSA support is following in subsequent updates, completing the FIPS suite. Active Directory Certificate Services PQC general availability is targeted for early 2026, which will be the largest single Microsoft surface-area expansion of post-quantum cryptography because every enterprise PKI built on ADCS becomes PQ-capable in one upgrade. Microsoft also publishes a detailed enterprise transition companion guide for IT teams migrating internal systems. Cryptography API: Next Generation (CNG) and the Certificate functions both expose ML-KEM to Windows developers; the SymCrypt library is open source and is used in Azure Linux as well.

Microsoft PQC →

Google

Integrator · Browser + cloud · United States

Google was the first major browser vendor to ship hybrid post-quantum key agreement to end users at scale. Chromium enables ML-KEM hybrid TLS by default, putting PQC into the handshake of every Chrome user silently and at zero cost to website operators. The March 2026 announcement set 2029 as the deadline for full post-quantum cryptography migration across Google infrastructure, matching the Cloudflare commitment and creating a rare industry coordination point that smaller vendors track against. Google Cloud has published PQC migration tooling for enterprise customers, and Google is a primary contributor to the IETF post-quantum TLS standardisation track. Earlier hybrid Kyber experiments in Chromium produced public performance data that informed both AWS and Apple PQ3 design choices.

Google Cloud PQC →

Apple PQ3 (iMessage)

Integrator · Consumer messaging · United States

Apple PQ3 has shipped in iMessage since iOS 17.4 and the corresponding iPadOS, macOS, and watchOS updates in 2024. PQ3 is the first messaging protocol to reach what Apple calls Level 3 post-quantum security: Kyber (now NIST-standardised as ML-KEM) is used not just at session initialisation but inside the ongoing ratcheting that protects forward secrecy. Going beyond Signal’s PQXDH, this means a quantum adversary cannot decrypt past or future messages even after capturing one specific key. An independent formal analysis of PQ3 was published at USENIX Security 2025, confirming the security properties under quantum adversaries. The protocol upgrade reaches roughly 1.4 billion active iMessage devices.

Apple PQ3 research →

Signal PQXDH

Integrator · Consumer messaging · United States

Signal Messenger has shipped PQXDH (Post-Quantum Extended Diffie-Hellman) since 2023, extending Signal’s classical X3DH key agreement with an ML-KEM post-quantum step at session initialisation. PQXDH provides Level 2 post-quantum messaging: a quantum adversary capturing the session-establishment traffic cannot derive the symmetric key. Once the session is established, ratcheting is classical, so an adversary who later compromises a future ratchet key can decrypt subsequent messages until the next ratchet refresh. PQXDH is deployed via the Signal Protocol library to WhatsApp and Microsoft Skype as well as Signal Messenger itself, putting post-quantum cryptography on roughly two billion messaging endpoints worldwide. The protocol design served as a published reference for Apple PQ3.

Signal PQXDH spec →

The Cloudflare and Google 2029 deadlines deserve attention. Two majority infrastructure providers committing publicly to the same timeline is rare and creates an industry coordination point that other vendors implicitly track against. Cloudflare’s roadmap is the most detailed in the public domain. Google has been quieter on the milestone schedule but committed to the same 2029 endpoint in a March 2026 announcement. Apple and Signal already shipped, in different ways: Apple PQ3 reaches Level 3 PQ messaging by using ML-KEM in the ongoing ratchet, while Signal PQXDH uses ML-KEM only at session initialisation (Level 2). Both protocols are deployed at scale, putting post-quantum cryptography on roughly two billion endpoints.

When your organisation should migrate

Step one: cryptographic inventory

The honest answer for most organisations in 2026 is: start the inventory work now, even if the migration itself is two or three years off. The first practical step is producing a cryptographic bill of materials, an inventory of which systems use which algorithms, which protocols, and which key sizes, with owners and renewal cadences attached. The Cloud Security Alliance recently published an industry guide for transitioning to post-quantum cryptography that walks through the inventory step in detail.

That inventory is the bottleneck for almost every PQC migration. The longest part of the work is finding all the places cryptography is used and quietly assumed to be RSA or ECDSA. The post-quantum cryptography companies in the list above all sell some flavour of cryptographic inventory and migration tooling because customers asked for it before they asked for the algorithms themselves.

Step two: order by risk and lifetime

Once the inventory exists, the migration path tends to follow risk: start with anything that protects long-lived confidentiality (medical records, government archives, financial transaction histories), then move to authentication-critical systems (code signing, certificate authorities, identity), then everything else. Hybrid deployments (ML-KEM plus the existing classical algorithm in parallel) buy time during the cutover and are the dominant pattern across cloud providers today. Pure post-quantum deployments come later, once the algorithms have racked up another two or three years of production use.

What your cloud provider does for you

For organisations that build software on cloud providers, much of the migration is being done for them. AWS, Microsoft, Google, and Cloudflare are switching their default algorithms underneath their customers, which means a TLS connection from an AWS customer to an AWS service is increasingly post-quantum without the customer doing anything. The customer’s job is to keep TLS clients and SDKs current and to update internal systems that do not run on hyperscaler infrastructure.